Technology Won’t Stop Intrusions By Itself

I was in a Skype chat early this morning when the people at the company on the other end found that staff were opening a very unusual e-mail. The chaos that ensued reflected a lack of preparedness and a misunderstanding of how technology can protect against external threats. This wasn’t a law firm but, as I saw the messages go by, I kept thinking how it easily could have been.

the person who sent it usually writes longer messages, and this was very brief

it had a generic attachment – a Word document – that would not normally have been circulated to a group

On the other hand:

it came from the person’s e-mail address

a look at the source code (which I did later) showed it had gone through company servers

the e-mail had this person’s default signature block, which would normally only go out in messages to clients and other staff

Not surprisingly, on balance, staff responded in different ways. It was early in the morning, before normal office hours but that’s when people start checking their e-mail, even if they aren’t on site. One person warned the IT team, who wouldn’t be in the office for another hour. Four people opened the attachment. A manager sent an all-staff e-mail warning them to delete the e-mail.

The proliferation of viruses and attacks mean that not all internet security software is aware of all threats.

Internet security (endpoint security) software is only one of the tools that could potentially have inhibited the activation of this download script. Others include:

Making sure all macro capability is disabled in Microsoft Office products (and, for good measure, Javascript in your PDF reader) so that, even if a staff person opens the document, it won’t do anything

Training staff to be more alert. Two people figured out there might be a problem, and at least four did not. The staff are probably the last line of defence.

The Misunderstanding

At this point, it might have been worth pulling those 4 computers off the network – no access to internal or external network resources. But there was resistance, because there was work to be done and we all rely on our computers to be productive. This was complicated because two of the people who had opened the attachment were senior staff, and not accustomed to being told what to do. Again, taking the law firm perspective, you can imagine a partner in a small firm – they pay the bills, they own the equipment, they hire the staff – being reluctant to spike a couple of productive, billable hours.

It was made worse because the company was using security software and the staff assumed that the software was enough protection, on its own.

I Can See Danger

First, none of the 4 staff who opened the Word document could see anything happening. Because the Word document wasn’t doing anything on their screen – downloaders don’t have a progress bar, by the way – they thought they were fine. They might be correct, if their macro security was turned on. Otherwise, they couldn’t tell.

Staff who think they will see something, or can rely on technology to save them, have a misunderstanding of their role in protecting corporate information and resources, and their own personal and private information.

No Plan

Some people might use the term perfect storm at this point but it really is, as it so often is, just poor planning and a lack of training. The downloader appears to have bypassed all of the technical solutions:

anti-virus on the e-mail server

anti-virus on the staff computers / endpoints

Microsoft Office macro restrictions

staff training

[if the downloader was set to contact a remote server, it was apparently able to do that]

If the company had had a plan in place – if a staff person opens a sketchy e-mail, do this – it might have been contained. But because staff were able to choose whether or not to open a file, and whether or not to stay on the network, it meant that a potentially bad situation was left to its own devices. The computers:

should have been disconnected from other corporate and Internet resources

should have been scanned to verify that, in fact, the endpoint security and other obstacles had worked despite the staff

It also highlighted the fundamental need for training. It’s not just that staff and lawyers need to know how to be aware of potential threats, like e-mail attachments, and what to do with them. They need to understand that the technology is just there to narrow the funnel, and decrease the likelihood that an attack will get all the way to the discretion of the staff person. When staff don’t understand what their technology does and does not do, and make assumptions about how it is securing them so that they need not use as much caution, it creates a likelihood of misunderstandings and potential resource and information loss.

Afterthought: somewhat unrelated, the company probably needs to see if the person’s e-mail account has been accessed. The e-mail was unusual enough that it looked like it came from the actual account, not a spoofed account as is often the case. Also, it went to other addresses in the sender’s address book. This may mean the company has a password / account access problem as well as whatever happens on those computers.

Share this:

Related

I improve information access and lead information teams. My books on finding information and managing it and practicing law using cloud computing reflect my interest in information management, technology, law practice, and legal research. I've been a library director in Canada and the US, as well as directing the American Bar Association's Legal Technology Resource Center. I speak and write frequently on information, technology, law library, and law practice issues.

Post navigation

Spotlight on

Law libraries can adopt a library-as-publisher to turn free government information into more useful resources. Here’s a simple example of how I took a relatively flat but very rich government research tool, added hyperlinks and turned it into an ebook for free distribution. Read More about “The E-Book Workflow for Unofficial Charterpedia”…